Expert Commentary on Identity Management Day 2021

Today is Identity Management Day 2021. 

According to the Identity Defined Security Alliance, this is“a day of awareness to educate business leaders, IT decision-makers, and the general public about the importance of managing and securing digital identities.”

After all, identity management forms the core of all modern cybersecurity. Authentication forms the new digital perimeter and continuous authentication helps constitute a vital component of security monitoring. 

For more, we consulted with several cybersecurity experts. Here’s what they had to say about Identity Management Day 2021. 

Expert Commentary on Identity Management Day 2021

Doug Davis

Doug Davis is Senior Product Manager at Semperis. 

“With the growing popularity of cloud, enterprises have been gravitating toward a hybrid identity management model that promises the best of both worlds—a little bit in the cloud, and a little bit on-premises. For the vast majority, this means leveraging Azure Active Directory (AAD) alongside Active Directory (AD). Organizations making this change must consider three critical adjustments: the need for new authentication models, the loss of the traditional perimeter, and drastic changes to the permissions model.

“Changes in permissions are by far the biggest security risk when it comes to implementing hybrid identity management. Not only are there a huge number of services available when organizations move to a hybrid identity environment, but you also have roles in Azure AD that may be unfamiliar compare to the set of well-defined administrative groups in Active Directory. Organizations must establish strong governance of what apps are going to be turned on, who is able to make those changes, and what access rights they will get. While managing identity in a hybrid environment might seem as simple as joining a Windows device to AAD, failing to account for changes to the risk landscape opens the door to issues that can cause headaches in the future.”

Anurag Kahol

Anurag Kahol is CTO and Cofounder of Bitglass.

“Identity Management Day emphasizes the importance of protecting our digital identities (which is increasingly critical as the acceleration of digital transformation efforts opens new doors for threat actors). With many internet users holding dozens of online accounts across various services, it has become more difficult for them to memorize numerous, complex passwords. Unfortunately, password reuse has become a common malpractice that increases the chances of account hijacking when one set of a user’s credentials are leaked. More than 80 percent of hacking-related breaches are tied to lost or stolen credentials and it is now self-evident that passwords alone are not enough when it comes to authenticating users.”

“As the security landscape evolves, consumers and businesses must work together to ensure the privacy of corporate and personal data. To properly verify the identities of their employees and customers, companies must enhance their security protocols by establishing continuous, context-based security throughout the entire login experience. Solutions like multi-factor authentication (MFA) and Single Sign-On (SSO) don’t require users to remember countless passwords, while also mitigating the risk of account compromise. On a consumer level, users can safeguard their digital identity by educating themselves on the risks of password reuse, following cybersecurity best practices, and staying informed on rising threats. Because we now live in a time when our daily lives revolve around the internet and our various accounts therein, identity management awareness has never been more critical.”

Jasen Meece

Jasen Meece is CEO of Cloudentity. 

“Identity-related data breaches are very common these days, yet preventable if the right precautions are taken at both the individual and enterprise level. Not only on Identity Management Day, but every day, it’s critical that business leaders, IT decision-makers, and the general public are aware of the importance of responsibly managing and securing digital identities. Digital identity protects sensitive data and greatly impacts how we work, interact with each other, access technology, and complete transactions. Therefore, Identity Access and Management (IAM) and cybersecurity need to be treated holistically. Organizations must implement security best practices to keep employee and customer identities safe, and this includes securing applications starting at the API level.” 

“API Protection is key for managing identities (be they human or machine), dictating how an application can consume sensitive data. We’ve seen dozens of breaches from poorly-written APIs, where object or function level authorization issues cause programmatic data leakage that attackers can take advantage of. An example of this gone wrong is the Walgreens app error last year when a vulnerability of the Walgreen app’s API caused a data breach where customers could view the private medical messages of other customers. If organizations don’t take control of identity management integrated with API security, we will see even more large-scale data breaches.”

Tim Bandos

Tim Bandos is CISO of Digital Guardian. 

“So much personally identifiable information (PII) has been exposed in breaches over recent years that it is quite easy for hackers to use our identities against us. Everyone, in some form, is vulnerable to attack. In particular, the rich amount of compromised passwords and rise in cloud-based applications has left companies more vulnerable to compromise than ever before.”

“The security landscape has completely shifted since the pandemic and businesses need to be able to support a long-term hybrid workforce going forward. New research from Centrify showed that ‘an overwhelming percentage (90 percent) of cyber-attacks on cloud environments in the last 12 months involved compromised privileged credentials.’”

“Should a cyber-criminal obtain an employee’s credentials, they are able to log into their email, and then use that information to access more company services and applications – all with the company and victim being none the wiser. If the credentials entered are valid, the same alarms are not raised as when an authorized user attempts entry from the outside.”

“This means IAM solutions will need to be front and center during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges. Otherwise, you run the risk of cyber-criminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news, such as the recent breach at Verkada where credentials were compromised.”

“Organizations need to look at where identity management and data security meet. First and foremost, developing a working relationship between data security and IAM teams is key. Furthermore, deploying data-aware cybersecurity solutions will significantly minimize the risks, because even if an adversary has “legitimate” access to data through stolen credentials, they are prevented from copying, moving, or deleting it. Also, the roll-out of multi-factor authentication (MFA) is another component to fighting the growing tide of compromised credentials.”

Thank you to these experts for their time and expertise on Identity Management Day. For more, check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine.